Microsoft has disclosed a high-severity Trade Server vulnerability that permits attackers to forge respectable senders on incoming emails and make malicious messages much more efficient.
The safety flaw (CVE-2024-49040) impacts Trade Server 2016 and 2019, and was found by Solidlab safety researcher Vsevolod Kokorin, who reported it to Microsoft earlier this yr.
“The problem is that SMTP servers parse the recipient address differently, which leads to email spoofing,” Kokorin stated in a Could report.
“Another issue I discovered is that some email providers allow the use of the symbols < and > in group names, which does not comply with RFC standards.”
“During my research, I did not find a single mail provider that correctly parses the ‘From’ field according to RFC standards,” he added.
Microsoft additionally warned at present that the flaw might be utilized in spoofing assaults focusing on Trade servers and launched a number of updates throughout this month’s Patch Tuesday so as to add exploitation detection and warnings banners.
“The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport,” Microsoft defined.
“The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate.”
Trade servers now warn of exploitation
Whereas Microsoft has not patched the vulnerability and can settle for emails with these malformed headers, the corporate says Trade servers will now detect and prepend a warning to malicious emails after putting in the Trade Server November 2024 Safety Replace (SU).
CVE-2024-49040 exploitation detection and e-mail warnings can be enabled by default on all programs the place admins allow safe by default settings.
Up-to-date Trade servers may also add a warning to the physique of any emails it detects as having a cast sender and an X-MS-Trade-P2FromRegexMatch header to permit admins to reject phishing emails trying to use this flaw utilizing customized mail stream guidelines.
“Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method,” the warning reads.
Whereas not suggested, the corporate gives the next PowerShell command for many who nonetheless need to disable this new safety characteristic (run it from an elevated Trade Administration Shell):
New-SettingOverride -Identify "DisableNonCompliantP2FromProtection" -Part "Transport" -Part "NonCompliantSenderSettings" -Parameters @("AddDisclaimerforRegexMatch=false") -Motive "Disabled For Troubleshooting"
Get-ExchangeDiagnosticInfo -Course of Microsoft.Trade.Listing.TopologyService -Part VariantConfiguration -Argument Refresh
“Although it’s possible to disable the feature using New-SettingOverride, we strongly recommend you leave the feature enabled, as disabling the feature makes it easier for bad actors to run phishing attacks against your organization,” Redmond warned.
